There’s No Hard Evidence That Law Enforcement is Actually “Going Dark”
In both hearings the witnesses representing law enforcement trotted out scary hypothetical situations and terrifying anecdotes about how encryption could stifle investigations and let “bad guys” go free. But when asked by Senators if they had any actual numbers on how often strong encryption thwarted investigations, neither Director Comey nor DAG Yates had any idea.
Both tried to duck the question by claiming that it was like “proving a negative.” But counting each time a law enforcement officer can’t access data because of encryption (or even just thinks they won’t be able to access data, without actually trying) doesn’t seem that difficult.1
The only actual number mentioned was from Manhattan District Attorney Vance, who said that his office had encountered locked iPhones 74 times. A spokesperson for his office told Wired that this was over 9 months, and that the office handles approximately 100,000 cases in the course of a year. This means the office encountered encryption in less than 0.1% of cases. That doesn’t sound like “going dark” is really a particularly pressing problem—especially since DA Vance didn’t bother to explain how any of the 74 encrypted iPhones that his office encountered actually stood in the way of a successful prosecution.
“A whole lot of good people have said it’s too hard … maybe that’s so,” he said to the Intelligence Committee. “But my reaction to that is: I’m not sure they’ve really tried.”
In a comment worthy of climate denialists, Comey told one senator: “Maybe the scientists are right. Ennnh, I’m not willing to give up on that yet.”
The new paper is the first in-depth technical analysis of government proposals by leading cryptographers and security thinkers, including Whitfield Diffie, a pioneer of public key cryptography, and Ronald L. Rivest, the “R” in the widely used RSA public cryptography algorithm. In the report, the group said any effort to give the government “exceptional access” to encrypted communications was technically unfeasible and would leave confidential data and critical infrastructure like banks and the power grid at risk.
ok, this is nanners - software finding and fixing exploitable software bugs:
The CGC Qualifying Event from which the seven winning teams emerged:
-was the first CTF played solely by machines
-operated at a speed and scale at which only machines can compete. For example, most CTF events challenge experts to analyze and secure about 10 pieces of software over 48 hours. The CGC Qualifying Event demanded that teams’ machines work on 131 pieces of software—more than any previous CTF event—over just 24 hours. Some teams’ systems secured single pieces of software in less than an hour.
-resulted in participating teams together fixing all of the 590 flaws in the competition software of which the contest developers were aware.
im several years removed from being a yahoo (local, e.g. wasnt my primary concern) paranoid, but gratifying to see.
Kaspersky researchers have long eschewed the practice followed by many of their security research peers of attributing attacks to particular hacking groups or the sovereign nations that often support them. Wednesday’s report documenting the Duqu 2.0 attacks is no different.
[…]
“For a security company, one of the most difficult things is to admit falling victim to a malware attack,” Kaspersky researchers wrote in their report. “At Kaspersky Lab, we strongly believe in transparency, which is why we are publishing the information herein. For us, the security of our users remains the most important thing—and we will continue to work hard to regain your trust and confidence.”
But, despite the prevalence of security questions, their safety and effectiveness have rarely been studied in depth. As part of our constant efforts to improve account security, we analyzed hundreds of millions of secret questions and answers that had been used for millions of account recovery claims at Google. We then worked to measure the likelihood that hackers could guess the answers.
Our findings, summarized in a paper that we recently presented at WWW 2015, led us to conclude that secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism. That’s because they suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember—but rarely both.
Developers have published two pieces of malware that take the highly unusual step of completely running on an infected computer’s graphics card, rather than its CPU, to enhance their stealthiness and give them increased computational abilities.
We are adopting a new airworthiness directive (AD) for all The Boeing Company Model 787 airplanes. This AD requires a repetitive maintenance task for electrical power deactivation on Model 787 airplanes. This AD was prompted by the determination that a Model 787 airplane that has been powered continuously for 248 days can lose all alternating current (AC) electrical power due to the generator control units (GCUs) simultaneously going into failsafe mode. This condition is caused by a software counter internal to the GCUs that will overflow after 248 days of continuous power. We are issuing this AD to prevent loss of all AC electrical power, which could result in loss of control of the airplane.
“buffer overflow causes crash”
kreuzaderny